Testing Your Configuration

This section describes how to test connectivity for the single mode ASA or for each security context, how to ping the ASA interfaces, and how to allow hosts on one interface to ping through to hosts on another interface.

Enabling ICMP Debug Messages and System Log Messages

Debug messages and system log messages can help you troubleshoot why your pings are not successful. The ASA only shows ICMP debug messages for pings to the ASA interfaces, and not for pings through the ASA to other hosts. To enable debugging and system log messages, perform the following steps:

Command

Purpose

Step 1

debug icmp trace

Shows ICMP packet information for pings to the ASA interfaces.

Step 2

logging monitor debug

Sets system log messages to be sent to Telnet or SSH sessions.

Note You can alternately use the logging buffer debug command to send log messages to a buffer, and then view them later using the show logging command.

Step 3

terminal monitor

Sends the system log messages to a Telnet or SSH session.

Step 4

logging on

Enables system log messages.

Examples

The following example shows a successful ping from an external host (209.165.201.2) to the ASA outside interface (209.165.201.1):

This example shows the ICMP packet length (32 bytes), the ICMP packet identifier (1), and the ICMP sequence number (the ICMP sequence number starts at 0 and is incremented each time that a request is sent).

Pinging Security Appliance Interfaces

To test whether the ASA interfaces are up and running and that the ASA and connected routers are operating correctly, you can ping the ASA interfaces. To ping the ASA interfaces, perform the following steps:

Note Although this procedure uses IP addresses, the ping command also supports DNS names and names that are assigned to a local IP address with the name command.

The diagram should also include any directly connected routers, and a host on the other side of the router from which you will ping the ASA. You will use this information in this procedure and in the procedure in "Pinging Through the Security Appliance" section. For example:

Figure 27-1 Network Diagram with Interfaces, Routers, and Hosts

Step 2 Ping each ASA interface from thedirectly connectedrouters. For transparent mode, ping the management IP address. This test ensures that the ASA interfaces are active and that the interface configuration is correct.

A ping might fail if the ASA interface is not active, the interface configuration is incorrect, or if a switch between the ASA and a router is down (see Figure 27-2). In this case, no debug messages or system log messages appear, because the packet never reaches the ASA.

Figure 27-2 Ping Failure at Security Appliance Interface

If the ping reaches the ASA, and the ASA responds, debug messages similar to the following appear:

ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2

ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1

If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist (see Figure 27-3).

Figure 27-3 Ping Failure Because of IP Addressing Problems

Step 3 Ping each ASA interface from a remote host. For transparent mode, ping the management IP address. This test checks whether the directly connected router can route the packet between the host and the ASA, and whether the ASA can correctly route the packet back to the host.

A ping might fail if the ASA does not have a return route to the host through the intermediate router (see Figure 27-4). In this case, the debug messages show that the ping was successful, but system log message 110001 appears, indicating a routing failure.

Figure 27-4 Ping Failure Because the Security Appliance has no Return Route

Pinging Through the Security Appliance

After you successfully ping the ASA interfaces, make sure traffic can pass successfully through the ASA. For routed mode, this test shows that NAT is operating correctly, if configured. For transparent mode, which does not use NAT, this test confirms that the ASA is operating correctly. If the ping fails in transparent mode, contact Cisco TAC.

To ping between hosts on different interfaces, perform the following steps:

Command

Purpose

Step 1

access-list ICMPACLextendedpermit icmp
any any

Adds an access list allowing ICMP from any source host.

Note By default, when hosts access a lower security interface, all traffic is allowed through. However, to access a higher security interface, you need the preceding access list.

Step 2

access-group ICMPACLin interface
interface_name

Assigns the access list to each source interface.

Note Repeat this command for each source interface.

Step 3

class-map ICMP-CLASS

match access-list ICMPACL

policy-map ICMP-POLICY

class ICMP-CLASS

inspect icmp

service-policy ICMP-POLICY global

Enables the ICMP inspection engine and ensure that ICMP responses may return to the source host.

Note Alternatively, you can also apply the ICMP access list to the destination interface to allow ICMP traffic back through the ASA.

Step 4

logging on

Enables system log messages.

Ping from the host or router through the source interface to another host or router on another interface.

Repeat this step for as many interface pairs as you want to check.

If the ping succeeds, a system log message appears to confirm the address translation for routed mode (305009 or 305011) and that an ICMP connection was established (302020). You can also enter either the show xlate or show conns command to view this information.

If the ping fails for transparent mode, contact Cisco TAC.

For routed mode, the ping might fail because NAT is not configured correctly (see Figure 27-5). This failure is more likely to occur if you enable NAT control. In this case, a system log message appears, showing that the NAT failed (305005 or 305006). If the ping is from an outside host to an inside host, and you do not have a static translation (required with NAT control), the following system log message appears: "106010: deny inbound icmp."

Note The ASA only shows ICMP debug messages for pings to the ASA interfaces, and not for pings through the ASA to other hosts.

Figure 27-5 Ping Failure Because the Security Appliance is not Translating Addresses

Disabling the Test Configuration

After you complete your testing, disable the test configuration that allows ICMP to and through the ASA and that prints debug messages. If you leave this configuration in place, it can pose a serious security risk. Debug messages also slow the ASA performance.

Traceroute

You can trace the route of a packet using the traceroute feature, which is accessed with the traceroute command. A traceroute works by sending UDP packets to a destination on an invalid port. Because the port is not valid, the routers along the way to the destination respond with an ICMP Time Exceeded Message, and report that error to the security appliance.

Packet Tracer

In addition, you can trace the lifespan of a packet through the security appliance to see whether the packet is operating correctly with the packet tracer tool. This tool lets you do the following:

•Debug all packet drops in a production network.

•Verify the configuration is working as intended.

•Show all rules applicable to a packet, along with the CLI commands that caused the rule addition.

•Show a time line of packet changes in a data path.

•Inject tracer packets into the data path.

The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. If a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example, when a packet is dropped because of an invalid header validation, the following message appears: "packet dropped due to bad ip header (reason)."

Reloading the ASA

In multiple mode, you can only reload from the system execution space. To reload the ASA, enter the following command:

Command

Purpose

reload

Reloads the ASA.

Performing Password Recovery

This section describes how to recover passwords if you have forgotten them or you are locked out because of AAA settings, and how to disable password recovery for extra security. This section includes the following topics:

Step 3 After startup, press the Escape key when you are prompted to enter ROMMON mode.

Step 4 To update the configuration register value, enter the following command:

rommon #1> confreg 0x41

Update Config Register (0x41) in NVRAM...

Step 5 To set the ASA to ignore the startup configuration, enter the following command:

rommon #1> confreg

The ASA displays the current configuration register value, and asks whether you want to change it:

Current Configuration Register: 0x00000041

Configuration Summary:

boot default image from Flash

ignore system configuration

Do you wish to change this configuration? y/n [n]: y

Step 6 Record the current configuration register value, so you can restore it later.

Step 7 At the prompt, enter Y to change the value.

The ASA prompts you for new values.

Step 8 Accept the default values for all settings, except for the "disable system configuration?" value.

Step 9 At the prompt, enter Y.

Step 10 Reload the ASA by entering the following command:

rommon #2> boot

Launching BootLoader...

Boot configuration file contains 1 entry.

Loading disk0:/asa800-226-k8.bin... Booting...Loading...

The ASA loads the default configuration instead of the startup configuration.

Step 11 Access the privileged EXEC mode by entering the following command:

hostname> enable

Step 12 When prompted for the password, press Enter.

The password is blank.

Step 13 Load the startup configuration by entering the following command:

hostname# copy startup-config running-config

Step 14 Access the global configuration mode by entering the following command:

hostname# configure terminal

Step 15 Change the passwords, as required, in the default configuration by entering the following commands:

hostname(config)# password password

hostname(config)# enable password password

hostname(config)# username name password password

Step 16 Load the default configuration by entering the following command:

hostname(config)# noconfig-register

The default configuration register value is 0x1. For more information about the configuration register, see the Cisco ASA 5500 Series Command Reference.

Step 17 Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

Recovering Passwords for the PIX 500 Series Security Appliance

Recovering passwords on the PIX 500 Series ASA erases the login password, enable password, and aaa authentication console commands. To recover passwords for the PIX 500 Series ASA, perform the following steps:

Step 1 Download the PIX password tool from Cisco.com to a TFTP server accessible from the ASA. For instructions, go to the following URL:

Disabling Password Recovery

You might want to disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the ASA.

Command

Purpose

no service password-recovery

Disables password recovery.

On the ASA, the no service password-recovery command prevents a user from entering ROMMON mode with the configuration intact. When a user enters ROMMON mode, the ASA prompts the user to erase all Flash file systems. The user cannot enter ROMMON mode without first performing this erasure. If a user chooses not to erase the Flash file system, the ASA reloads. Because password recovery depends on using ROMMON mode and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to restore the system to an operating state, load a new image and a backup configuration file, if available.

The service password-recovery command appears in the configuration file for information only. When you enter the command at the CLI prompt, the setting is saved in NVRAM. The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the ASA is configured to ignore the startup configuration at startup (in preparation for password recovery), then the ASA changes the setting to load the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, then the same change is made to the configuration register when the no service password recovery command replicates to the standby unit.

On the PIX 500 series security appliance, the no service password-recovery command forces the PIX password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the ASA reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to restore the system to an operating state, load a new image and a backup configuration file, if available.

Resetting the Password on the SSM Hardware Module

To reset the password to the default of "cisco" on the SSM hardware module, perform the following steps:

Note Make sure that the SSM hardware module is in the Up state and supports password reset.

Command

Purpose

hw-module module 1
password-reset

Where 1 is the specified slot number on the SSM hardware module.

Note On the AIP SSM, entering this command reboots the hardware module. The module is offline until the rebooting is finished. Enter the show module command to monitor the module status. The AIP SSM supports this command in version 6.0 and later.

On the CSC SSM, entering this command resets web services on the hardware module after the password has been reset. You may lose connection to ASDM or be logged out of the hardware module. The CSC SSM supports this command in the most recent version of 6.1, dated November 2006.

Reset the password on module in slot 1? [confirm] y.

Enter y to confirm.

Using the ROM Monitor to Load a Software Image

This section describes how to load a software image to an ASA from the ROM monitor mode using TFTP.

Other Troubleshooting Tools

Viewing Debug Messages

Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover, it is best to use debug commands during periods of less network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. To enable debug messages, see the debug commands in the Cisco ASA 5500 Series Command Reference.

Capturing Packets

Capturing packets is sometimes useful when troubleshooting connectivity problems or monitoring suspicious activity. We recommend contacting Cisco TAC if you want to use the packet capture feature. See the capture command in the Cisco ASA 5500 Series Command Reference.

Viewing the Crash Dump

If the ASA crashes, you can view the crash dump information. We recommend contacting Cisco TAC if you want to interpret the crash dump. See the show crashdump command in the Cisco ASA 5500 Series Command Reference.

Coredump

A coredump is a snapshot of the running program when the program has terminated abnormally —crashed. Coredumps are used to diagnose or debug errors and save a crash for later off-site analysis. Cisco TAC may request that users enable the coredump feature to troubleshoot application or system crashes on the ASA. See the coredump command in the Cisco ASA 5500 Series Command Reference

Common Problems

This section describes common problems with the ASA, and how you might resolve them.

Symptom The context configuration was not saved, and was lost when you reloaded.

Possible Cause You did not save each context within the context execution space. If you are configuring contexts at the command line, you did not save the current context before you changed to the next context.

Recommended Action Save each context within the context execution space using the copy start run command. Load the startup configuration as your active configuration. Then change the password and then enter the copy run start command. You cannot save contexts from the system execution space.

Symptom You cannot make a Telnet or SSH connection to the ASA interface.

Recommended Action Enable ICMP to the ASA for your IP address using the icmp command.

Symptom You cannot ping through the ASA, although the access list allows it.

Possible Cause You did not enable the ICMP inspection engine or apply access lists on both the ingress and egress interfaces.

Recommended Action Because ICMP is a connectionless protocol, the ASA does not automatically allow returning traffic through. In addition to an access list on the ingress interface, you either need to apply an access list to the egress interface to allow replying traffic, or enable the ICMP inspection engine, which treats ICMP connections as stateful connections.

Symptom Traffic does not pass between two interfaces on the same security level.

Possible Cause You did not enable the feature that allows traffic to pass between interfaces at the same security level.